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Abstract. We present two algorithms to compute the endomorphism ring 
of an ordinary elliptic curve E defined over a finite field ¥q. Under suitable 
heuristic assumptions, both have subexponential complexity. We bound the 
complexity of the first algorithm in terms of logg, while our bound for the 
second algorithm depends primarily on log \De\, where De is the discriminant 
of the order isomorphic to End(i?). As a byproduct, our method yields a short 
certificate that may be used to verify that the endomorphism ring is as claimed. 



1. Introduction 

Let E be an ordinary elliptic curve defined over a finite field , and let tt denote 
the Frobenius endomorphism of E. We may view tt as an element of norm q in the 
integer ring of some imaginary quadratic field K = Q {VDk) : 

(1) TT = \ with Aq = t^ - v^Dk- 

The trace of tt may be computed as t = g + 1 — Applying Schoof 's algorithm 
to count the points on E/¥q, this can be done in polynomial time [29) . The funda- 
mental discriminant Dk and the integer v are then obtained by factoring Aq ~ t^, 
which can be accomplished probabilistically in subexponential time j25j . 

The endomorphism ring of E is isomorphic to an order 0{E) of K . Once v and 
Dk are known, there are only finitely many possibilities for 0(E), since 

(2) Z[Tr]C 0{E) C Ok- 

Here Z [tt] denotes the order generated by tt, with discriminant D^^ = v'^Dk, and 
Ok is the maximal order of K (its ring of integers), with discriminant Dk- The 
discriminant of 0{E) is then of the form De = u^Dk, where the conductor u 
divides v and uniquely determines 0{E). We wish to compute u. 

Recall that two elliptic curves over are isogenous if and only if they have the 
same trace [201 Ch. 13, Thm. 8.4]. Thus the set Ellt(F,) of elliptic curves defined 
over ¥q with trace t constitutes an isogeny class. Each curve in Ellt(Fg) has an 
endomorphism ring satisfying and therefore a conductor dividing v. 

In his seminal thesis, Kohel describes the structure of the graph of isogenies de- 
fined on Ell4(F^), and its relationship to the orders in Ok- He applies this structure 
to obtain a deterministic algorithm to compute u in time 0(gi/3+e)^ 

assuming the 

generalized Riemann hypothesis (GRH) [51] Thm. 24]. 

Here we present two new methods to compute u that further exploit the relation- 
ship between the isogeny graph and ideal class groups. Under heuristic assumptions 
(including, but not limited to, the GRH), we achieve subexponential running times. 
Both methods yield Las Vegas algorithms: probabilistic algorithms whose output 
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is unconditionally correct. We rely on heuristic assumptions only to bound their 
expected running times. 

In practice we find the algorithms perform well, and are able to handle problem 
sizes that were previously intractable. We give computational examples over finite 
fields of cryptographic size where v is large and not smooth (the most difficult case) . 
Over a 200-bit field, for example, the total running time is typically under an hour 
(see Section [5] for details). 

To express our complexity bounds, we adopt the usual notation 



Under the heuristic assumptions detailed in Section IH we derive the bound 



for Algorithm 2 f Proposition \W\i . The L[l/3,c/] term reflects the heuristic com- 
plexity of factoring Aq — using the number field sieve [9] . Algorithm 2 is slower 
than Algorithm 1 in general, but may be much faster when m <C u. 

In certain cryptographic applications the discriminant De is an important se- 
curity parameter (see [6| for one example), and it may be necessary for a third 
party to independently verify its value. The algorithms we use to compute De may 
additionally generate a short certificate to aid this verification. Both certification 
and verification have heuristically subexponential running times, and one may ex- 
tend the certification phase in order to reduce the verification time, as discussed in 
Section m Under the same heuristic assumptions used in our complexity bounds, 
the size of the cer tificate is 0(log^+'q) (Corollary HI). 



Kohel's algorithm treats each large prime power p'^ dividing v by computing the 
kernel of a certain smooth isogeny of degree n. The prime factors of n are small 
(polynomial in logu), but n itself is large (exponential in \ogv), and this leads to 
an exponential running time (see [21|, Lem. 29] ) . We replace this computation with 
a walk in the isogeny graph using isogenics of low degree (heuristically, subexpo- 
nential in logw). This walk computes the cardinality of a certain smooth relation, 
and by performing similar computations in class groups of orders in Ok we are 
able to determine the power of p dividing u (via Corollary [4]) . We adapt an algo- 
rithm of McCurley [26] to efficiently find smooth relations, achieving a heuristically 
subexponential running time. First, we present some necessary background. 

2.1. Theoretical background. Let us fix an ordinary elliptic curve E defined 
over a finite field Fq, with t, Dk, and v as in ([T]). We may verify that E is ordinary 
by checking that t is nonzero modulo the characteristic of [34l Prop. 4.31]. 

Recall that the j-invariant j{E) may be computed as a rational function of the 
coefficients of E and, in particular, is an element of Fg. Over the algebraic closure 
of Fq, the j-invariant uniquely identifies E up to isomorphism, but this is not true 
over Fq. However, two ordinary elliptic curves with the same trace are isomorphic 
over ¥q if and only if they have the same j-invariant [12l Prop. 14.19]. Thus we 
may explicitly represent the set Ellt(F5) as a subset of Fg, namely, the j-invariants 




L [l/2, V3/2\ {q) 
for Algorithm 1 (Corollary [7]), and the bound 

L[1/2 + o{1),1]{\De\) + L[l/3,cf]{q) 
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of all elliptic curves over ¥q with trace t, and view each eleraent of Ellt(Fq) as a 
particular elliptic curve representing its isomorphism class. 

As noted above, each curve in Ellt(Fq) has an associated u dividing v that iden- 
tifies its endomorphism ring, and we may partition Ell((Fq) into subsets Ell(.„(Fq) 
accordingly. We aim to distinguish the particular subset containing E by identifying 
relations that hold in some Ell(.„(Fq) but not others. 

Our main tool is the action of the ideal class group c\{u^Dk) of 0{v?Dk) (the 
order of K with conductor u) on the set Ellt,„(Fg). Here we rely on standard results 
from the theory of complex multiplication, and the Deuring lifting theorem. 

Theorem 1. With q, t, v, and Dk as in (1), let u be a divisor of v and a an ideal 
of 0{u^Dk) with prime norm £. Then a acts on the set Ellt_„(Fg) via an isogeny 
of degree £, and this defines a faithful group action by c\(u^Dk)- 

For a proof, see Theorems 10.5, 13.12, and 13.14 in [23j, or Chapter 3 of [2T] . 
For additional background, we also recommend [Hj and [3TJ Ch. II]. 

Theorem [T] implies that the cardinality of Ellt^„(Fg) is a multiple of the class 
number /i(u^£'if), and in fact these values are equal [30]. In general, the curves 
£-isogenous to E need not belong to Ellt_u(Fq). However, when £ does not divide v, 
we have the following result of Kohel [2ll Prop. 23]: 

Theorem 2. Let £ be a prime not dividing v. There are exactly 1 + {De \ t) 
isogenics of degree £ starting from E, and they all lead to curves with endomorphism 
ring isomorphic to 0{E). 

The notation [De \ £) is the Kronecker symbol. Note that {De\£) ^ {Dk \ £), 
so we can compute it without knowing De- We are primarily interested in the 
case {De \ £) = 1, where the prime £ splits into distinct prime ideals of norm £ in 
0{E), and these ideals lie in inverse ideal classes a and a^^ in cI{De) (if £ splits 
into principal ideals, then a — a^^ = 1). By Theorem 1, the orbit of E under the 
action of a corresponds to a cycle of ^-isogenics whose length is equal to the order 
of a in c\{De)- Additional details on the structure of the isogeny graph can be 
found in |21j and, in a more concise way, in [15j . 

2.2. Explicit computation. We implement class group computations using bi- 
nary quadratic forms. For a negative discriminant D, the ideals in 0{D) correspond 
to primitive, positive-definite, binary quadratic forms ax^ + bxy + cy^ (commonly 
noted (a, 6, c)) with discriminant D ~ — Aac. The integer a corresponds to the 
norm of the ideal. Ideal classes in cl(I?) arc uniquely represented by reduced forms. 
As typically implemented, the group operation has complexity 0(log^ \D\) [5^Q 

To navigate the isogeny graph, we rely on the classical modular polynomial 
^g{X,Y), which parametrizes pairs of £-isogenous elliptic curves. This is a sym- 
metric polynomial with integer coefficients. For a prime £ not dividing q, two elliptic 
curves Ei and E2 defined over F, are connected by an isogeny of degree £ if and 
only if <^i{j{Ei),j{E2)) = m Thm. 19] 

The polynomial has size 0{£^ log£) [Tl], and may be computed in time 0{£^~^'^) 
[14] . When £ is small we use precomputed G Z[Ar, Y] , but for larger £ we compute 
^e/¥q, that is, the integer polynomial <&£ reduced modulo the characteristic of F^. 
This can be accomplished in time 0(^^+'logg) and space 0(^^+'^logg) using the 

1 The algorithm of |28] has complexity 0{\og^+^ \D\), but we do not make use of it. 
^This isogeny is necessarily cyclic, since it has prime degree. 
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CRT method described in [7]. In practice one may consider alternative modular 
polynomials that are sparser and have smaller coefficients than 

To find the curves that are £-isogenous to E, we compute the roots of the uni- 
variate polynomial f{X) = ^i{X, j{E)) in ¥q. We may restrict ourselves to primes 
£ \ V with {De I ^) = 1, so that f{X) has exactly two roots, by Theorem[2l We find 
these roots by computing gcd(/, X"^ — X) and solving the resulting quadratic, using 
an expected 0(M(£) \ogq) operations in (this is the time to compute X"^ mod /). 
Given ^e/¥q, we use 0(^^) operations in to construct f{X) = ^i{XJ{E)). For 
£ ^ logg this dominates the time to find the roots of f{X) and bounds the cost of 
taking a single step in the ^-isogeny graph. 

2.3. Relations. Let us suppose that a e c\{De) contains an ideal of prime norm 
£\v, and has order e = |a|. In this situation we say that the relation a*^ = I holds 
in c\{De)- We cannot actually compute a'^ in cI{De), since we do not yet know 
De, but we may apply Theorem[T]to compute the action of either or on E 
by walking a distance e along the cycle of ^-isogenics, starting from j = j{E). 

Algorithm WALKCYCLE(j, £, e): 

1. Set jo ^ 3- 

2. Let ji be one of the two roots of ^i{X,jo). 

3. For s from 1 to e — 1: 

4. Let js+i be the root of ^i{X,js)/{X - js-i). 

5. Return je- 

The roots of ^i{X,js) are typically distinct (exceptions require l-D^I ^ 4£^, by 
[151 Thm. 2.2]), but the algorithm applies in any case. 

The choice of ji in Step 2 is arbitrary, it may correspond to the action of either 
a or a^^. Nevertheless, since e = |q;| = |q;~^|, we have je = jo in either case. A 
difficulty arises when we consider a relation that is not unary, say a^^ctj^ — 1, where 
ai contains an ideal of prime norm £i with £i ^ £2- Starting from j{E), we walk ei 
steps along the £i-isogeny cycle, then walk 62 steps along the i'2-isogeny cycle. We 
must make two arbitrary choices and may compute the action of a^^ctj^, a^^a^^^, 
o^r^^ct? or aj^*^^ Q!2^^^ . The actions of these four elements are almost certainly not 
identical; even if a^^Ofj^ = 1 in cI{De), it is unlikely that a^^a^'^^ will fix j{E). 

To address this situation, we formally define a relation R as a pair of vectors 
(£1, . . . , £k) and (ei, . . . , Cfc), where each £i is prime, £i \ v and {Dk \ £i) — 1, and 
each ei is a positive integer^ The integer k is the arity of the relation. Given a 
discriminant D — v?Dk with u \ v, choose ideal classes ai, . . . ,ak € c\{D) so that 
ai contains an ideal of norm £i. This ideal need not be the reduced representative 
of ai, and may be principal (implying ai = 1), this depends on D. We now define 



as the cardinality of the relation R in cl(-D). When ^R/D > 0, we say R holds in 
cl(i?). The integer #R/D is independent of the choice of the ai. It has even parity, 
since if r belongs to the set in so does — t. 

To compute ^R/De, we enumerate the 2*^ possible walks we may take in the 
isogeny graph, starting from j{E), considering all possible sign vectors r (these 

■^In practice, we may wish to relax the constraint £i when is very small (e.g. 2), see 1331 . 



(3) 
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walks typically form a tree in which each path from root to leaf has k binary 
branch points). By the symmetry noted above, we may fix ti = 1. 

Algorithm CountRelation(£', i?): 



f. Compute j <— WALKCYCLE(j(£^), ^1, d) and let J be the list (j). 

2. For i from 2 to k: 

3. Set J' ^ J and then set J to the empty list. 

4. For j e J': 

5. Set j'oi Jo ^ j ^^"^ ji and j[ be the two roots of (X,jo)- 

6. For s from 1 to — 1: 

7. Let be the root of f{X) = {X,js) /{X ~ 

8. Let j^+i be the root of /(X) = <i>,^ (X, j^) /{X - 

9. Append je^ and jg. to J. 

10. Retm'n 2n, where n counts the occurrences oi j{E) in J. 
Given (^i/¥q, the complexity of Algorithm CountRelation is dominated by 

k 

(4) 5]2'-ie,T(^,), 

i=l 



where T{t) is the time to take a single step in the £-isogeny graph, which for large 
t is bounded by 0(i'^) operations in Fg, as noted above. Our algorithms rely on 
smooth relations in which k, £i, and are all rather small: in the first example of 
Section [5] we have k — 10, ii ^ 500, and ei ^ 3000. As a practical optimization, we 
order the couples {£i, ei) to minimize ([4]), using an estimate of T{£). 

Computing ^R/D in cl(D) (where D is known) is straightforward: one computes 
the set in ([3]) by evaluating products of powers in cl(D). A total of 0(2'^' + J2 log ^i) 
operations in the class group suffice (independent of the ii). 

2.4. Probing class groups. We now consider how we may distinguish class groups 
of orders in K by computing the cardinality of suitable relations. We rely on the 
following lemma. 

Lemma 3. Suppose 0{Di) C 0(Z?2). Then for every relation R we have 

#R/Di ^ #R/D2. 

Proof. Let a be an 0(151 )-ideal with norm prime to the conductor of Di. The map 

aO{D2) 

induces a natural morphism of class groups. It preserves norms (see |121 Prop. 7.20] 
for a proof in the case D2 is fundamental, from which one easily derives the general 
case) and therefore transports relations from cl(L'i) to cl(D2). □ 

Corollary 4. Let be a prime power dividing v, and let Di = {v /pp)^ Dk and 
D2 = p^^Dk, where j = Vp{v) — k + \. Suppose ^R/Di > ^R/ D2 for some relation 
R, and let D = u^Dk where u \ v. Then p^ \ u if and only if ffR/D < fj^R/Di. 

Provided we have a suitable relation R for each prime-power p^ dividing u, we 
can apply the corollary to D = De to determine the prime-power factorization 
of M, and hence the endomorphism ring of E. The computations of ^R/Di and 
f^R/D2 are performed in the class groups cl(Z?i) and cl(Z?2), but the computation 
of ^R/De takes place in the isogeny graph via the CountRelation algorithm. 
Notice that we may replace v in the corollary by any multiple of u dividing v. 
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Proposition 5. For all primes p > S, there are infinitely many relations satisfying 
the assumptions of Corollary 

Proof. Consider unary relations with ei = 1 and ii = i, and denote tlicm i?£. Tire 
relation Rg holds in cl{D) precisely when £ splits into principal ideals in 0{D). For 
i S {1, 2}, let Si be the set of primes £ such that Ri holds in cl(Di). We now show 
\ 52 is infinite, referring to material from [TH Ch. 8,9]. 

The set Si is equal to the set of primes that split completely in the ring class 
field Li of 0{Di), and recall that Li is a Galois extension of Q [l2l Lem. 9.3]. The 
Chebotarev density theorem asserts that Si and 5*2 are infinite, and 5*1 \ 52 is finite 
if and only if Li C La [H Thm. 8.19]. 

But Li cannot be contained in L2, for 0(Di) is not contained in 0{D2). Indeed, 
p'' divides the conductor of 0{D2) but not that of 0{Di), which implies that p*^ 
divides the conductor of L2 but not that of Li (see [HI Ex. 9.20-9.23]). □ 

In practice, of course, there are many other relations satisfying the requirements 
of CoroUarydl Empirically, relations R holding in c\{Di) satisfy ^R/Di > #i?/Z?2 
with probability converging to 1 as p grows. We will not attempt to prove this 
statement, but as a heuristic assume that this probability is at least bounded above 
zero, and furthermore that this applies to relations that are smooth (as defined 
in Section |4|). Note that, independent of this assumption, the above proposition 
guarantees that our algorithms are always able to terminate. 

3. Algorithms 

3.1. Computing 0{E) from above. We now describe our first algorithm to com- 
pute u, the conductor of the order 0{E) isomorphic to End(i?). We rely on Al- 
gorithm FindRelation(Z)i, D2), described in Section [3^ to obtain relations to 
which Corollary m may be applied. 

For small primes p dividing v, say all p ^ B for some B, we can efficiently 
determine the largest prime power p'^ dividing u by isogeny climbing, as described 
in [m Sec. 4.2] and j33l Sec. 4.1]. This yields an isogenous curve E' for which the 
conductor of 0(E') is u' — ujp^ , using 0{kp'^ logg) operations in Vq (given <^p/¥q). 

For simplicity, the algorithm below assumes that v is not divisible by the square 
of a prime larger than B. The modification to handle large primes whose square 
divides v is straightforward but unlikely to be needed in practice. 

Algorithm 1 {E/¥q): 

1. Let Schoof's algorithm compute the trace t of E, then determine Dk, v, 
and the prime factors of v, by factoring Aq — t^ ^ —v^Dk- 

2. Select a bound B and set w ^ 1. 

3. For each prime p ^ B dividing v: 

4. Determine the largest power of p dividing u by isogeny climbing, 
then set E E' ^ remove all powers of p from u, and update u. 

5. For each prime p > B that divides v: 

6. Set R ^ FindRelation(£)i, D2) with Di = {v^/p^)Dk, D2 = p^Dk- 

7. Determine whether p divides u by checking if :^R/De < 
then update u appropriately. 

8. Return u. 
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The correctness of Algorithm 1 fohows from CoroUarylH Its running time de- 
pends on B and the complexity of FindRelation. Using B = L [l/2, l/\/T2] (q), 
we obtain in Section 2] (Corollary [7]) a heuristic bound of 



L 



l/2,Vi/2\ {q) 



on the expected running time of Algorithm 1, using L [l/2, l/\/3] (q) space. 

Note that the relations computed in Algorithm 1 only depend on the Frobenius 
trace t of E, not its endomorphism ring, hence they may be reused to compute the 
endomorphism ring of any curve in the same isogeny class. These relations also 
provide a means to subsequently verify the computation of u, but for this purpose 
we may wish to specialize the relations to u, a task we now consider. 

3.2. Certifying u. Let us suppose that a particular value u is claimed as the 
conductor of 0{E). This may arise in a situation where u is actually known, either 
via Algorithm 1 or from the construction of E (say, by the CM method), but 
may also occur when one wishes to test a provisional value of u, as we will do in 
Algorithm 2. We first give an algorithm to construct a certificate that may be used 
to efficiently check whether a given curve with trace t in fact has endomorphism 
ring 0{E) with conductor u (equivalently, it allows one to test whether an element 
ofEllt(F,) lies in Ellt,„(F,)). 

The construction of this certificate depends only on m, v, and Dk and does not 
require an elliptic curve as input. Small prime factors of u and v may be removed 
by isogeny climbing prior to calling Certify. 

Algorithm Certify(u, w, ): 

1. For each prime factor p of v/u: 

2. Set Rp ^ FindRelation (Di, 1)2) with Di = u^Dk and D2 = p^Dk- 



3. For each prime factor p of u: 

4. Set Rp ^ FindRelatio 

5. Return C — {u,v, Dkt{Rp}p\v) 



4. Set Rp ^ FindRelation (Di, Ds) with L>i = {u'^/p^)Dk, D-i = u^D 



K- 



The relations computed in Step 2 may verify that the actual value of u divides 
the claimed value, whereas the relations computed in Step 4 may verify that the 
claimed value of u is not a proper divisor of u, as shown by Algorithm Verify. 

Algorithm VERIFY(£;/Fq, C): 

1. For each prime factor p of v/u, verify that 4t^Rp/E > 4t^Rp / p^ D k . 

2. For each prime factor p of u, verify that ^Rp / [v?' / p'^)D k > "^Rp/E. 

3. Return true if all verifications succeed and false otherwise. 

In addition to the verification of u above, one may also wish to verify that v 
and Dfc are correct. This may be accomplished in polynomial time if the trace 
t and the factorizations of v and Dk are included in the certificate. One may 
additionally wish to certify the primes in these factorizations [5], or the verifier 
may apply a polynomial-time primality test [T]. Assuming these values are correct, 
the conductor of 0{E) is equal to u if and only if VERlFY(i?, C) returns true. This 
statement does not depend on any unproven hypotheses. 

The size of the certificate is unconditionally bounded by 0{log^ q), and under 
heuristic assumptions we obtain an 0{log^^'^ q) bound (Corollary [8]) . Within this 
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bound, certificates for primes dividing v or Dk can be included, as each certificate 
requires O(log^^'^q) space and there are O(logg) such primes. 

The expected running times of Certify and Verify depend on a smoothness 
parameter /i used by FindRelation. This parameter may be chosen to balance 
the cost of certification and verification, as in Algorithm 2 below, or one may reduce 
the verification time by increasing the certification time. See Proposition [9] and the 
discussion following for an analysis of this trade-off. 

3.3. Computing 0{E) from below. We now present a second algorithm to com- 
pute u, which may be much faster than Algorithm 1 if u is small compared to v, 
and is in general only slightly slower. Our basic strategy is to examine each of the 
divisors Ui of v in order, attempting to prove that u = Ui is the conductor of 0{E), 
by constructing a certificate and verifying it. This only requires finding relations in 
class groups with discriminants whose absolute value is at most |u^Z?fe|. 

Typically v has few divisors (almost always 0(log'°^^w) [HI p. 265]), in which 
case this basic strategy is quite effective. However, in order to improve performance 
in the worst case, we apply isogeny climbing to effectively remove prime factors from 
V as we go, thereby reducing the number of u's we must consider. As above, we 
suppose V is square-free for the sake of presentation. 

Algorithm 2 (E/Wg): 

1. Let Schoof's algorithm compute the trace t of E, then determine Dk, v, 
and the prime factors of v by factoring v^Dk — Aq — . 

2. Set a; ^ 0. 

3. Set w <— max(l/3, a;/2 + 1/ logg). 

4. For primes p < exp(log"' v): 

5. Test whether p\uhy isogeny climbing, then set E ^ E' and v ^ v/p. 

6. For divisors u oi v less than exp(log ^ v): 

7. If VERiFY(i?, Certify(m, V, Dk)) returns true: 

Return the product of u and the primes determined in Step 5. 

8. Set X ^2w and go to Step 3. 

The variable w is used to bound the complexity of isogeny climbing using a 
known lower bound for u that increases as the algorithm proceeds. Initially we 
have no information about u so we use the cost of the factorization computed in 
Step 1 to select w. 

The running time of Algorithm 2 is analyzed in Section |4l where the bound 

L[l/2 + o{l),\]{\DE\) + L[l/i,Cf] (q) 

is obtained under suitable heuristic assumptions. The same assumptions yield an 
L[l/2-Ho(l),2/3] {\DE\)\ogq space bound. 

3.4. Finding Relations. Given negative discriminants Di and D2, we seek a rela- 
tion R satisfying #i?/£>i > ^R/D2- We find such an R by searching for a relation 
that holds in cl(-Di) and then testing this inequality. As noted at the end of Sec- 
tion [21 this test almost always succeeds, but if not we search for another relation. 

To find relations that hold in cl(Di), we adapt an algorithm of McCurley [181 [26] . 
Fix a smoothness bound B, and for each prime £ ^ B with {Di \ £) ^ —1, let fe 
denote the primeform with norm £. By this we mean the binary quadratic form 
{£, bi, a) of discriminant Di with bg ^ 0, which may be constructed via [SI Alg. 3.3]. 
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We then generate random reduced forms by computing the product 

(5) {a,b,c)^l[f^\ 

e 

where the xi are suitably constrained (and mostly zero) . If the prime factors of a 
are bounded by B, say a — Y[i P"' i then we may decompose (a, 6, c) as 

(6) (a,^c) = n/r% 

where for nonzero y^, ti = ±1 is defined by 6 = Te,hi mod 2^. 

Recall that n — ^J\Di\/'i is an upper bound on the norm of a reduced imaginary 
quadratic form QiB, Ex. 5.14]. Provided that J^^fl^*' > n, the decompositions in 
([3]) and ^ must be different, since a ^ n. This yields a non-trivial relation with 
exponents Ci = xi — Tiyi. 

In order to minimize the cost of computing ^R/De (via CountRelation) for 
the relations we obtain, in addition to bounding the primes £, we must also bound 
the exponents e^, and especially the number of nonzero ei, which determines the 
arity k of R. To achieve this we require all but a constant number kg of the xi to be 
zero (we use fco = 3), and note that if we assume a is a random B-smooth integer in 
[1, n], then we expect it to have approximately 2 logn/ logi? distinct prime factors. 
In the unlikely event that k significantly exceeds this expected value, we seek a 
different relation. 

Having bounded k, the complexity of CountRelation then depends on the 
products eiT{tj appearing in (ji]). For large € we have T{t) = 0(^^) operations 
in Fq. To make the products e^T(£) approximately equal we may use the bound 
jx^l ^ {B/lY . In practice we use a bound 

\xA ^ {B/ir, 

that better reflects the cost of T{t) for moderate values of £ (we typically use 
Lo w 1.6); this has no impact on our asymptotic analysis. 

The Canfield-Erdos-Pomerance theorem [Tni Thm. 3.1] implies that if we sam- 
ple uniformly random integers from the interval [l,n] until we find one that is 
L [1/2, /i] (n)-smooth, our expected sample size is L [1/2, l/{2^)] (n), where the im- 
plied constants can all be made explicit. This allows us to compute a lower bound 
m{B,n) on the number of random integers we must sample from [l,n] in order to 
have a better than 50% chance of finding one that is B-smooth. 

We initially set B = L [1/2, fj] (n), for a suitably chosen /i, and compute ■m{B, n) 
on the heuristic assumption that the norms of the forms we generate are about as 
likely to be _B-smooth as random integers in the interval [1, 7i]l_| In practice we find 
this to be the case, however, to account for the possibility that none of the elements 
generated according to our constraints have _B-smooth norms (or that none of the 
relations we find are suitable), we increase the smoothness bound by a constant 
factor r slightly greater than 1, if we fail to find a suitable relation after testing 
2m{B, n) elements. 



^This is true for random forms, see [8| Prop. 11.4.3]. 
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Algorithm FindRelation(_Di, 1)2): 

1. Set B = L [1/2, ^] (n), where n = ^/\Di\/3. 

2. Compute primcforms fi for £ ^ B. 

3. Repeat 2m{B,n) times: 

4. Pick random integers xg with \xi\ ^ {B/£)'^ such that at most ko 
of the xe are nonzero and Yig > n. 

5. Compute the reduced form (a, 5, c) = Yl^ f^' . 

6. If a is J3-smooth: 

7. Let R be the relation with eg = jx^ — Tfj/fj where a = 
and let k be the arity of R. 

8. If fc < {2/1.1) log^/2 n and > #i?/D2, then return i?. 

9. Set B ^ rB and go to Step 2. 

As a practical optimization, we may choose not to generate completely new 
values for xi every time Step 4 is executed, instead changing just one bit in one of 
the nonzero xg. This allows the form (a, b, c) to be computed in most cases with a 
single composition/reduction using a precomputed set of binary powers of the fi. 

To implement Step 6 one may use the elliptic curve factorization method (ECM) 
to probabilistically identify i?-smooth integers in time L [1/2, 2] (B) = L [1/4, 2/i] (n), 
which effectively makes the cost of smoothness testing negligible within the preci- 
sion of our subexponential complexity bounds. A faster approach uses Bernstein's 
algorithm, which identifies the smooth numbers in a given list in essentially linear 
time 4 . This docs not change our complexity bounds and for the sake of simplicity 
we use ECM in our analysis. 

In practice, the bound B is quite small (under 1000 in both our examples), and 
very little time is spent on smoothness testing. In our implementation we used a 
combination of trial division and a restricted form of Bernstein's algorithm. 

4. Complexity Analysis 
The complexity bounds derived below depend on the following heuristics: 

(1) Small primes. We assume the GRH. The effective Chebotarev bounds of 
Lagarias and Odlyzko then imply that for all x = ri(log^'^' l-Dxj) there are 
fl{x/ logx) primes less than x that split in Ok, where the implied constants 
are all effectively computable Thm. 1.1]. 

(2) Random norms. We assume that the norms of the reduced forms com- 
puted in Step 4 of FindRelation have approximately the distribution of 
random integers in [l,n]. Under this assumption, we apply the Canfield- 
Erdos-Pomerance theorem to estimate the probability of generating a form 
whose norm is i3-smooth. 

(3) Random relations. If Di = u\Dk and D2 = u^Dk are sufficiently 
large discriminants with U2 | ui, and i? is a random relation for which 
^R/Di > 0, with £i and bounded as in FindRelation, then we assume 
that ^R/Di > ^R/D2 with probability bounded above zero. 

(4) Integer factorization. We assume that ECM finds a prime factor p of an 
integer n in expected time L [1/2,2] (p) log n [24], and that the expected 
running time of the number field sieve is L [1/3, c/] (n) [9j. 
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In the propositions and corollaries that follow, we use the shorthand (H) to 
indicate that we are assuming Heuristics 1-4 above. 

Proposition 6. (H) FindRelation(Z?i, 1)2) has expected running time 



L 



1/2,1/(78/^)1 + i[l/2,0](|I?i|)log3|i?2| 



The output relation R has norms £i bounded by L [l/2, /Lt/-\/2] (|Z?i|), exponents Ci 
bounded by L [l/2,V^^i\ i\Di\), and arity k < (2//i)log^/^ 

Proof. Let B = L[l/2,/i](n) = L[l/2,/i/V2] (l^il), where n = ^/Di/S. By 
Heuristic 1, for sufficiently large B there are il(logB) primes £ = 0{log^ B) with 
{Di I ^) = 1. For these £, the value of may range up to B^^^ , for any S > 0. 
Thus there are more than 2m{B, n) = L [1/2, l/(2/i)] distinct elements that may be 
generated in Step 4, and with high probability at least m{B, n) are. So Heuristic 2 
applies, and with probability greater than 1/2 we generate at least one element 
with _B-smooth norm each time Step 3 is executed. 

Under Heuristic 2, the expected number k of nonzero exponents is at most 

fco + 21ogn/logB = fco + -log^/' |i?i|(loglog \Di\)-^/^, 

M 

since we expect a random B-smooth integer in [1, n] to have (2 + o(l)) logn/ logS 
distinct prime factors (this may be proven with the random bisection model of [3]). 
This, together with Heuristic 3, ensures that when Step 8 is reached the algorithm 
terminates, with some constant probability greater than zero. Thus we expect to 
reach Step 9 just 0(1) times, and the total number of forms (a, 6,c) generated by 
the algorithm during its execution is bounded by L [1/2, l/{2^)] (n). 

For each form (a,6, c), the algorithm tests whether a is B-smooth in Step 6. 
Applying ECM, under Heuristic 4 we identify a i3-smooth integer (with high prob- 
ability) in time L [1/2, 2] (B) = L [l/4, y/2il] (n) gj. This yields 

L [1/2, 1/(2/.)] (n) - L [1/2, l/{V8^l)] (|i?i|), 

as a bound on the expected time spent finding relations. 

The bounds on k, the £i, and the Ci are immediate. We may bound the cost of 
computing #R/Dj, for j = {1, 2}, by 

O (2'= log(maxeO log^ \D,\) = 0(2^= log^/2+^ \Dj\) = L [1/2,0] (|I?i|) log^ \D,\. 

The proposition follows. □ 

Corollary 7. (H) Algorithm 1 has expected running time L [1/2, V3/2] {q). 

Proof. We may compute t in polynomial time with School's algorithm, and under 
Heuristic 4 we factor Aq — t^ ^ —v^Dk in expected time L [1/3, c/] (q). 

We use B = L [l/2, 1/VT2] (q) in Algorithm 1, and set /i = I/VG when call- 
ing FindRelation. The cost of isogeny climbing, the calls to FindRelation, 
and the calls to CountRelation to compute ^^R/De all have expected complex- 
ity L [l/2,\/3/2] (q), including the cost of computing the required $f/Fg. Only 
O(logg) iterations are required in Algorithm 1 (one for each p \ v), which does not 
change the complexity bound. □ 
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Corollary 8. (H) Let Di = v?Dk and D2 = v^Dk- The expected running time 
of Certify(u, w, U/f) is within an O(logw) factor of the expected complexity of 
FindRelation(_Di, Z52). The output certificate C has size 0(log^^' \Di\ logw). 

Proof. Algorithm Certify makes fewer than O(logw) calls to FindRelation with 
iDil < \u'^Dk\ and \D2\ ^ \v'^Dk\- Applying the bounds of Proposition [6] for ^i, 
Ci, and fc, each relation has size 0(log \Di\ log log |-Di|). □ 

Proposition 9. (H) Given a certificate C produced by Algorithm Certify with 
parameter fi and an elliptic curve E/¥q, Algorithm VERlFY(i?/Fg, C) has expected 
running time 



L 



Proof The expected time to compute ^e/¥q is 0(£^+' log^^' q) [T1[I1|. By Propo- 
sition [51 each relation in the certificate contains 0(log^^^ |_Di|) distinct ii, each 
bounded by L [l/2,/i/\/2] (Iu^Dk])- There are at most 0{logq) relations in the 
certificate, yielding a total time of 

L [f /2, 3/i/%/2] {\u'^DK\)log^^\, 

to compute all the ^i/¥q needed for verification. The total cost of all calls to 
CountRelation may be bounded by 

L [1/2, 72^^] {\u^DK\)\og'+'q, 

using fast multiplication in ¥q, which is dominated by the bound above. □ 

To balance the costs of verification and certification, one uses fj. — 1/V6. The 
verification time may be reduced (and the certification time increased) by choosing a 
smaller /i. For example, with fi ~ l/^/TS the verification time is L [1 /2, 1/2] {\u'^Dk\) 
and the certification time is L [1/2, 3/2] {\u'^Dk\), ignoring logarithmic factors in q. 

Proposition 10. (H) Algorithm 2 has expected running time 

L[l/2 + o{l),l]{\DE\) + L[l/3,Cf] (g). 

Proof. In Step 1 we compute t in polynomial time and factor —v^Dk in expected 
time L [1/3, c/] (q), by Heuristic 4. Let ^ — 1/V6 in all the calls to Certify, in 
order to balance the cost of Verify. The cost of each certification/verification 
performed in Step 7 is then bounded by L [l/2, a/3/2] (I-DbI) log^^^ q, according to 
Proposition [9l since we never test a divisor of v that is greater than the conductor 
u of De. In Step 6, v can contain no prime factors less than exp(log"' v). Thus the 
number of divisors is bounded by 

, L-J ^L[w,1]{v)^L[II2 + o{1),1][\De\). 

log vj ^ 

In the rightmost equality we have used 

(7) log|i?B| >logu^log"'"-^/'°s«i; ^ logi;s^logi/(2'"-i/'°s9)|2^^| 

to express the bound in terms of \De\, noting that 

w/{2w - l/logg) = 1/2+ l/(4wlogg - 2), 

where w 1/3 and q 00 &s\De \ 00. The cost of Step 7 for all the divisors con- 
sidered in a single execution of Step 6 is bounded by L [1/2 + o(l), 1] (l-D^;!) log^^^ q. 



COMPUTING ENDOMORPHISM RINGS 



13 



The algorithm may repeat Step 6 up to logq times, but the cost of each iteration 
dominates all prior ones, so we have bounded the total cost of Step 7. 

The cost of isogeny climbing in Step 5 during the first iteration is bounded by 

exp ((3 + o(l)) logi/3 v) log2+^ q = L [1/3, Cf] {q) 

(for any Cf), and thereafter cannot exceed 

exp ((3 + e) log'" v) \og^+' q = L[w, 1] (v) log" q = L [1/2 + o(l), 1] {\De\) log'^' q. 

Here we have again applied (O, and the choice of the constant 1 (or any constant) 
is justified by the fact that 3/(loglog li^sl)^^™ as \De\ oo. 

To complete the proof, we note that if L [1/2 + o(l), 1] (jD^jj) log^^^ q exceeds 
L [1/3, Cf] (q) we may incorporate the log^^^ q factor into the o(l) term. Otherwise, 
the complexity is L [1/3, cj] (q), and the proposition holds in either case. □ 

In both Algorithms 1 and 2, the space is dominated by the size of the polynomials 
^i/¥q. As noted in Section these can be computed in 0{£^~^'^ logq) space [7]. 
Plugging in parameters from the complexity analysis above, and making the same 
heuristic assumptions, we obtain an L [l/2, l/-\/3] (q) space bound for Algorithm 1, 
and an L [1/2 + o(l), 2/3] (li'Bl) logg space bound for Algorithm 2. 

5. Examples 

The rough timings we give here were achieved by a simple implementation run- 
ning on a single 2.4GHz Intel Q6600 core. The algorithm FindRelation was 
implemented using the GNU C/C-I--I- compiler [31] and the GMP library [TB], and 
for CountRelation we used a PARI/GP script [27]. We did not attempt to 
maximize performance, our purpose was simply to demonstrate the practicality of 
the algorithms on some large inputs. In a more careful implementation, constant 
factors would be substantially improved and many steps could be parallelized. 

5.1. First Example. We consider the elliptic curve E/¥q with Weierstrass equa- 
tion Y'^ ^ + CE, where 

CE = 660897170071025494489036936911196131075522079970680898049528; 
q = 1606938044258990275550812343206050075546550943415909014478299. 

Its trace t = 212 is computed by the Schoof-Elkies-Atkin algorithm in a few seconds 
and, factoring Aq — t^, it is nearly instantaneous to retrieve Dk = —7 and 

v = 2- 127 ■ 524287- 7195777666870732918103 . 

pi P2 

Let us apply Algorithm 1 to compute the conductor u of 0{E). First, we use 
isogeny climbing to handle small prime factors p oi v, those for which <^p can be 
computed in reasonable time (or, more likely, have already been precomputed) ; 
here, this means 2 and 127. It takes roughly 20 seconds to compute $127 and 
isogeny climbing itself takes less than 2 seconds. We find none of these primes 
divide m; hence E' = E and we may now assume v — piP2- 

For pi we set Di — {v/piYDk and D2 = p\Dk as in Corollary |3| To find a 
relation satisfying this corollary, we use Algorithm FindRelation(Z3i, D2) with 
the bound B = 500. Corollary [7] uses B = L [1/2,1/^12] {q) « 1900, but, taking 
into account constant factors in the complexity estimates, we find experimentally 
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that B = 500 better balances the expected running thiie of FindRelation with 
that of computing ^R/De- The iteration bound 2m{B,n) = 6 • 10^ has been 
evahiated via m{B,n) — l/p{u) with u — logn/logi? w 8 using Table 1 of [TT] . 
computed by Bernstein. 

After about 20 minutes, FindRelation outputs the relation R with 

(^^') = (22533, 11752^ 29^, 37^^ 79\ 113\ U9\ ISl^, 347\ 431^), 

for which ^R/Di = 2 and #i?/-D2 — 0. Note that, as suggested by Footnote[31 we 
make use of £ = 2 even though it divides v (using the algorithm in [33l Sec. 4.2]). 
Now, to evaluate #R/De using Algorithm CountRelation(£^, i?), we need to 
compute the required modular polynomials. We use precomputed $^ for £ < 100, 
and for £ ^ 100 apply the algorithm in j^; $431 takes 5 minutes, $347 takes 3 
minutes, and the others take less than a minute each. Finally, ^^R/De = is 
evaluated in 6.5 minutes. Since ^R/De < #i?/-Di, we conclude from Corollary [4] 
that pi is a factor of u. 

We now turn to p2 and set Di — {v/p2)'^Dk and D2 — P2DK accordingly. The re- 
lation R = (2^3, ll5, 43^, 71^) is found almost instantly by FiNDRELATlON(i3i, 132), 
and we have = 2 and #i?/_D2 = 0. CouNTRELATiON(i?, i?) computes 

i^R/DE = 2 in 1.5 seconds, proving that p2 ] u (since ^R/De ft #R/Di). 

All in all, we have found the conductor u — pi oi the elliptic curve E defined 
over a 200-bit prime field in only slightly more than half an hour of computation. 
The sizes of the primes pi and p2 represents nearly a worst-case; if p2 was 5 or 
6 bits larger the remaining part of would be small enough that one could more 
efficiently use a combination of isogeny climbing and Hilbert class polynomials to 
determine u. 

We note that, in this example, we could have used the invariant 72 — j^^^ (or 
other more favorable invariants [7l[T4]) in place of j, allowing us to use modular 
polynomials in place of that can be more quickly computed. Doing so would 
let us increase the bound B (reducing the time to find relations), and lead to an 
overall improvement in the running time. 

5.2. Second Example. Consider now the elliptic curve E : — ~ 3X + ce 
defined over the 255-bit prime field where 

CE = 14262957895783764742987524732821199570\ 
860243293007735537575027051453663494306; 
q = 50272551883931021408091448710235646749\ 
904660980498576680086699865431843568847. 

As above, we compute its trace t = 1200 via the SEA algorithm in about 10 seconds, 
and an easy factorization yields Dk ~ —1 and 

V = 2 • 127 • 582509 • 582511 • 852857 ■ 2305843009213693951 . 

Pl P2 P3 Pi 

Let us run Algorithm 2 to compute 0{E). We start with w = 1/3, and first 
remove the prime factors of v less than exp(log"'^/^ u) « 85. As in Example 1, the 
constant factors make this a slight underestimate, and we are happy to increase 
this bound to include both 2 and 127, which we handle by isogeny climbing. We 
find that neither of these divide u, and therefore E' = E, so we now assume that 

V = PlP2PzPi- 
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We then reach Step 6 and consider divisors u oiv less than exp(log^'" v) ~ 4- 10^, 
namely pi, p2 and ps. Starting with u ^ pi, the certificate C generated in Step 7 
by Certify(w, v, Dk) consists of 

Rp, = Rp, = Rp, - (2^1, 1131, 37I) ^ ^^^1)^ 

and takes negligible time to compute. The call to VERIFY(£'/Fq, C) takes one 
second and returns false, proving that u 7^ pi. 

Turning to w = p2, Certify(m, v, Dk) quickly outputs the certificate 

Rp^ = Rp,_^ = = (2^^ ll2,23^293) and Rp., = (11^) 

and VERlFY(i?/Fg, C) returns false after 1.5 seconds of computation; so u 7^ p2- 
We next consider u — p^; the certificate used is 

= Rp^ = Rp^ = (2239, 111, 373) ^ ^^^ly 

Computing and verifying this certificate takes about a second, and in this case the 
verification succeeds, proving that u = ps. 

The total running time is less than 15 seconds, most of which is spent point- 
counting. For comparison, it takes FlNDRELATlON(p2-D,pfD) nearly five minutes 
to output a relation, followed by a twenty-minute computation to evaluate its car- 
dinality, demonstrating the advantage of Algorithm 2 over Algorithm 1 in this 
example. 
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